apple_receipt 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c311dbabcbaf9714e8453fb734d832b5888529c4ae550da7a6a21bb2e8cedd8
-  data.tar.gz: b108e90ced00f9e637e63521a7f686a1cca79d071750b0ab2a79dcd8a0b6eebb
+  metadata.gz: 7511e6788808d19d86cb23e8ea0d2e849d87456fb8610ef6a9f0f0767ab478f0
+  data.tar.gz: 25287ab80215937091d1c5c2daf7a8eec4bbaaca02fb76927a7f145d9f695c1d
 SHA512:
-  metadata.gz: 480b71baf6e56fbeed27c07cbc4f2513598944fa152e738532cf46265c47039ce34865e7efdc4dba680b0c0b0279b5573f50d68b5eee938b60c930b089f10126
-  data.tar.gz: eebd41a576d38e137fd399146030c913011ed0972518c46407be7e8a4274c5b7d1f6661a8b7bed299dd707c79e470dde45e9bddc87e63213202c67ec5cef143c
+  metadata.gz: 12c2d96e91980fc15ec79dd98078fb74cdc41ecb97789541af2727c1c6420449d1407e8b45195f19acebb9dcca7be19ad636906879292e437695f9a0717b5248
+  data.tar.gz: 003da0087b6ef41d040d7b0ecbb0b88288241cd73ceb897d368521133f5e0085987af5c063a137c44263ecbd35485733be29779668098ecd91619b4aa6150b05

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Apple Receipt changelog
 
+## v0.2.2
+
+- Updated README to add information about validation [\#13](https://github.com/koenrh/apple_receipt/pull/13)
+- Fixed snake case keys of 'purchase information' hash [\#11](https://github.com/koenrh/apple_receipt/pull/11)
+
 ## v0.2.1
 
 - Fixed path to bundled certificates [\#10](https://github.com/koenrh/apple_receipt/pull/10)

data/README.md

@@ -7,7 +7,7 @@
 This gem allows you to read and verify Apple receipts. It was originally built
 to locally (server-side) verify the validity of receipts that are embedded in
 [Status Update Notifications](https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/StoreKitGuide/Chapters/Subscriptions.html#//apple_ref/doc/uid/TP40008267-CH7-SW13).
-These receipts have a different format than [documented](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2)
+These receipts have a different format than the [documented](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2)
 App Store receipts you might be familiar with, which are [PKCS #7](https://tools.ietf.org/html/rfc2315)
 containers with a payload (receipt data) encoded using [ASN.1](https://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.690).
 
@@ -46,21 +46,21 @@ receipt.valid?
 receipt.purchase_info
 # => {
 #   "quantity"=>"1",
-#   "expires-date-formatted"=>"2018-01-23 17:03:44 Etc/GMT",
-#   "is-in-intro-offer-period"=>"false",
-#   "is-trial-period"=>"false",
-#   "item-id"=>"1190360447",
-#   "app-item-id"=>"947936149",
-#   "transaction-id"=>"160000408504141",
-#   "web-order-line-item-id"=>"160000011000001",
+#   "expires_date_formatted"=>"2018-01-23 17:03:44 Etc/GMT",
+#   "is_in_intro_offer_period"=>"false",
+#   "is_trial_period"=>"false",
+#   "item_id"=>"1190360447",
+#   "app_item_id"=>"947936149",
+#   "transaction_id"=>"160000408504141",
+#   "web_order_line_item_id"=>"160000011000001",
 #   "bid"=>"com.foo.bar",
-#   "product-id"=>"com.foo.bar.monthly",
-#   "purchase-date"=>"2017-12-23 17:03:44 Etc/GMT",
-#   "original-purchase-date"=>"2017-12-23 17:03:53 Etc/GMT"
+#   "product_id"=>"com.foo.bar.monthly",
+#   "purchase_date"=>"2017-12-23 17:03:44 Etc/GMT",
+#   "original_purchase_date"=>"2017_12_23 17:03:53 Etc/GMT"
 # }
 ```
 
-## Apple receipts
+## Receipts
 
 A receipt is encoded as base64, and is formatted as a [NeXTSTEP](https://en.wikipedia.org/wiki/Property_list#NeXTSTEP)
 dictionary:
@@ -104,6 +104,17 @@ Both certificates chain up to:
 The `purchase-info` entry contains a base64-encoded NeXTSTEP dictionary that contains
 the actual receipt data (purchase info).
 
+## Validation
+
+First, the signing certificate is parsed from the signature binary data. The
+validation of the receipt works as follows.
+
+1. Verify that the signing certificate is valid, i.e. it is not expired, and
+   it chains up to either of the bundled Apple root certificates.
+2. Verify that the signature over the signed data (version number and receipt
+   data) is signed by the private key that correspond to the public key that is
+   in the signing certificate.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on [GitHub](https://github.com/koenrh/apple_receipt).

data/lib/apple_receipt/next_step_parser.rb

@@ -12,7 +12,8 @@ module AppleReceipt
       raw_json = input.gsub(/;\n\t/, ",\n\t")
                       .gsub(/\ =/, ':')
                       .gsub(/;\n/, '')
-      JSON.parse(raw_json)
+      h = JSON.parse(raw_json)
+      h.transform_keys { |k| k.tr('-', '_') }
     end
   end
 end

data/lib/apple_receipt/receipt_parser.rb

@@ -20,12 +20,12 @@ module AppleReceipt
     def parse(input)
       receipt_hash = NextStepParser.parse(input)
 
-      unless Set['signature', 'purchase-info'].subset?(receipt_hash.keys.to_set)
+      unless Set['signature', 'purchase_info'].subset?(receipt_hash.keys.to_set)
         raise ArgumentError, 'Missing required fields'
       end
 
       signature_decoded = Base64.decode64(receipt_hash['signature'])
-      data_decoded = Base64.decode64(receipt_hash['purchase-info'])
+      data_decoded = Base64.decode64(receipt_hash['purchase_info'])
 
       version, signature, receipt_cert = read_signature(signature_decoded)
       [version, signature, receipt_cert, data_decoded]

data/lib/apple_receipt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AppleReceipt
-  VERSION = '0.2.1'
+  VERSION = '0.2.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple_receipt
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Koen Rouwhorst
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-01-28 00:00:00.000000000 Z
+date: 2018-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json